Disclosed herein are systems and methods for detecting data breaches and, more specifically, disclosed herein are systems and methods for detecting data breaches and preventing fraud, including healthcare insurance fraud, using both a computer association component (Interpretation model) and a self sensitizing/self de-sensitizing component (SS/SDS model) using a breach observation line (BOL).
The term “Critical Infrastructure” is meant to describe societal assets crucial to the function of the society and its economy. The United States Department of Homeland Security lists several critical infrastructure sectors, a few of which are banking and finance, energy, food and agriculture, transportation, and healthcare. Given the importance of data transfer to almost every facet of our day-to-day existence, it is no surprise that the eighteen Sector Specific Plans (circa July, 2012) contained with the Department of Homeland Security's National Infrastructure Protection Plan (NIPP) each have subsections dedicated to the protection of data, and risks posed by misuse of the sector's data. This description focuses on one critical infrastructure sector: healthcare. Healthcare was chosen because of its broad reach into issues ranging from government regulations, commerce, privacy, malware, and, of course, personal healthcare decisions. It should be noted, however, that the disclosed systems and methods are applicable to all critical infrastructure sectors, including all areas of society handling data, regardless of the degree of import of the data to the infrastructure of the country in question.
In 2010 and 2011, there were over 18 million persons affected by Patient Information/Protected Information (PI) breach events (or breaches). Between 2005 and 2008, there were 39.5 million PI breaches at healthcare establishments alone. These breaches have ranged from loss of paper medical records transported in the care of medical personnel between work and home, to theft of millions of electronic medical records from healthcare establishment databases by employees or malicious code. The problem of PI breaches at healthcare establishments has grown with the trend toward implementation of electronic health record systems. A 2011 Ponemon Institute survey reported that 96% of healthcare establishments surveyed had a PI breach during 2010-2011, which is a 32% year-on-year increase in frequency of breaches accompanied by a 10% year-on-year increase in the economic impact of breach. A 2010 Data Breach Investigation Report from Verizon revealed that almost half (48%) of data breaches involved an “insider” and 90% of those breaches occurred with malicious intent.
The driver for the intentional breach is the ability to use a stolen medical record to perpetrate medical fraud. A stolen medical record is worth $50 on the black market, compared to $1 for a stolen social security number. The average amount of financial damage done when a stolen medical record is used to commit medical fraud is $20,000 compared to $2,000 for a stolen financial record. 29% of those involved in a breach suffer some sort of identity theft breach event (a 26% increase from 2010).
Federal agencies are tasked with policing healthcare establishment PI breaches in an attempt to mitigate these trends. The Center for Medicare and Medicaid Services (CMS), an agency within the Department of Health and Human Services, administers the HIPAA (Health Insurance Portability & Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) acts that governs how medical records are maintained, transferred, stored, and shared so that the patient's privacy may be maintained under the provisions of the Security and Privacy Rules. Within CMS is the Office of Civil Rights (OCR) that has legal authority to levy fines against covered entities that do not maintain PI privacy under the HIPAA and HITECH Acts. The fine structure was gradated from level A to level D starting in 2009, with the maximum fine levied in level D being $1.5 million: This represented a 6000% increase in the maximum fine. The first fines were levied by OCR under this new system starting in 2011, and, as of February, 2012, have totaled $7.1 million.
The primary monetary damage for a breached entity secondary to a healthcare establishment PI breach is not, however, the fine levied by OCR. The primary damage is, rather, the follow-on class action lawsuit in which damage amounts are considered for the individuals whose records were released in the breach. Damages are decided relative to financial damage, and damage to the released medical record as occurs in cases of medical record fraud subsequent to breach. Emotional damages are not considered, as was recently determined in the US Supreme Court Case Fed. Aviation Admin. v. Cooper, 131 S. Ct. 1441 (2012). Cases where it cannot be proven that damage was done (financial or otherwise) are similarly dismissed as was recently seen in Oregon's Supreme Court when they declined to hear Paul v. Providence Health System-Oregon, on the grounds that there had been no proven damage to the litigants.
However, Paul v. Providence's lack of merit was decided seven years after the breach in question, and the lack of damage was decided primarily on financial grounds. Litigants are now focusing on financial and medical record damage, and litigating much earlier, to take advantage of the period when the damage to breached records is not fully known. In this situation, the average damage value assessed to each record released is $1,000, as is borne out by exemplary cases involving TRICARE and Science Applications International Corporation ($4.19 billion class action suit filed in 2011), and Sutter Health Care ($4.25 billion class action suit). Thus, it is during this time period that the two parties, litigants and defendants, have an interest in either proving or disproving damage due to breached medical records.
Concomitant to the threat posed by the growing healthcare establishment PI breach issue is the problem of healthcare insurance fraud and “Medicare/Medicaid over-billing” (also referred to as “over-billing” or “CMS over-billing”). Medicare fraud is a $60 billion per year crime, and as such it has supplanted cocaine as the primary criminal enterprise in Florida. PwC (PricewaterhouseCoopers LLC) says that 36% of surveyed hospitals and physician groups report incidents of patients seeking services using someone else's name and identification.
Breached medical records are frequently used in the perpetration of fraud, but breached medical records are not a pre-requisite for the perpetration of fraud. Dr. Jaques Roy was indicted in February, 2012 for his central role in a Medicare billing ring that rang up more than $375 million in bogus claims over a five-year period. A May, 2012 indictment of 107 practitioners revealed a Medicare fraud ring responsible for $452 million in false claims.
U.S. Pat. No. 8,073,520 to Kamath et al. describes systems and methods for replacing signal artifacts in a glucose sensor data stream. U.S. Pat. No. 6,321,338 to Porras et al. describes a surveillance system. U.S. Pat. No. 7,836,496 to Chesla et al. describes a system for dynamic network protection. U.S. Pat. No. 8,117,049 to Berkobin et al. describes methods and systems for determining driver behavior. U.S. Pat. No. 8,131,922 to Ennis et al. describes methods and apparatus for the impact of changes in computer networks. U.S. Pat. No. 3,914,586 to McIntosh describes methods and apparatus for data compression. U.S. Pat. No. 8,010,469 to Kapoor et al. describes systems and methods for processing data flows. U.S. Pat. No. 7,356,843 to Kingsford et al. discloses a security incident identification and prioritization system. U.S. Pat. No. 7,805,377 to Felsher et al. discloses an information record infrastructure, system, and method.